Put another way, I would think that individual engineers would be better off learning the underlying tech and the tools provided that go with them. I think it's very possible that Flox (or devenv or...) reaches EOL, or ceases to track nixpkgs appropriately, or any of the other ways that software rots. Where nix develop is going to last as long as Nix Flakes do, and there's incentive to provide a migration path to whatever's next.
Even more important: every abstraction is going to leak. Maybe the Flox CLI "looks" cleaner or whatever, but in the end you'll still need to learn Nix to use it effectively. Why learn twice as much stuff as you need?
I use Nix at work, to distribute tools to (among other places) developers outside my team. I'm also the person within my team who knows Nix best.
We're currently using devenv.sh to present a prettier interface to those users, who are developers. I don't expect those devs to learn much about Nix, but I do expect to some extent to be responsible for educating and supporting them as issues inevitably come up.
I've not really tried Flox (now that I can do so without any signups and the CLI tool is open-source, I'm more seriously tempted to dig in than before!). But for me, the proposition isn't really learning 2 things vs. 1 or even asking other people to do so. The question is which interface is going to be easier for me to support— my expectation is that if/when things go awry, I'll end up relying on the same Nix knowledge either way. So I don't really see Flox changing what the developers I support are expected to master, but if Flox is something that developers I support find convenient and pleasant to use, I can imagine it reducing UX and documentation work I have to do with the Nix-based tooling I'm gluing together. It may also save me infrastructure burdens, in terms of setting up shared binary caches or helping users share environment configs and Nix code.
I'd really love to support a developer so obsessive and curious that they felt the need to learn and master Nix because they were using Flox as a dependency of my project. I'd like to think that as someone who knows my way around the Nix ecosystem, I could make exploring how Nix works and how Flox adds to it fun for them. But I can also imagine being that developer and feeling annoyed at the prospect of 'having' to learn two tools. I hear that.
They don't, but I have respect and sympathy for developers who prefer to dig deeper with learning their tools, and how that might make them tend to prefer stacks with fewer layers sometimes. I think it's a valid concern, especially for hobbyist and experimental/autodidactic use cases. In a corporate environment or within a team, people typically specialize and defer to each other in various areas, so maybe it matters less there.
I'm extremely amused that one of the trials here was "how do I measure 6 liters of water with a 12 liter jug and a 6 liter jug?" and the article completely glosses over the fact that the framework doesn't help GPT find the simple answer "fill the six liter jug"
"A few days ago, I came across this problem" - well, volume 4A of The Art of Computer Programming was published in 2011, which gives a pretty good treatment of the Langford Pairs. The author might've made their reference clear, and called out that the Python implementation was their own contribution
Hello! I am the author of this post and I did not have access to volume 4A of the Art of Computer Programming. Therefore I could not have made a reference to that book. In fact, I've never read that book.
This particular problem was shared by a colleague of mine in an internal mathematics puzzle forum. This was back in the days when my friends, some of my colleagues, and I were much younger and going through a phase in our lives when we used to challenge each other with mathematical puzzles. This blog post was a response to one such challenge.
The solution is my own. How similar do you find this solution to the one in Knuth's book? If it is indeed very similar, I would be a little amused but not too surprised because I think the approach I laid out in my solution is one of the few obvious paths to a solution. In fact, some of my colleagues independently came up with very similar proofs for the necessary condition.
Does any have experiences with Primus they can share?
The idea of being able to insulate the rest of the code from the specifics of which lower-level library I'm using is very attractive. On the other hand, any abstraction layer can introduce bugs in its own right. Thoughts about the tradeoff?
I'm using it now for a project that's due to go live early next year and so far it's been a dream. Case in point, I ran in to a bug on Monday and it turned out to be with engine.io itself rather than Primus. The workaround was a one line code change swapping the transformer to something else.
Arnout Kazemier (the lead dev) is a really nice guy and when I pinged him about the egine.io bug, he pushed out a change to Primus 24 hours later that worked around the bug and let me continue to use engine.io as the transformer.
I was using socket.io until about two weeks ago when I ran into some reconnecting issues that weren't fixed. I decided to use Primus + Multiplex + Emitter. I have only run into one issue so far with Multiplex on IE10, but that was fixed quickly. Otherwise the package seems rather solid.
I just wish that various app stores had an "in-app purchase" filter. I'd spend more time browsing them if I could filter out the noise of not-actually-free apps.
DCVS is a fantastic advance. Git isn't the best example of that, though. IMO, the UX problems of Git have everything to do with its internal model of revision history, not the structure of the internals. But I still pine for http://monotone.ca
Which is all interesting, except the shell script is a wrapper on "download this tarball and unpack it" or "download this rpm/deb and install it." So whatever security concerns existed on those approaches, you only concealed them. Why exactly?
I wish we had shell script installers that are 1. easily proofreadable, and 2. served over SSL, like this:
#!/bin/bash
#
# Installs a product from the Internet.
# PLEASE READ CAREFULLY!
#
mkdir /tmp/foo-installer
cd /tmp/foo-installer
cat > file_2.sh <<________EOF_file2.sh________________________________________
A very long script here....
A very long script here....
A very long script here....
________EOF_file2.sh________________________________________
base64 -d > file2.png <<________EOF_file2.png_______________________________________
iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAABHNCSVQICAgIfAhkiAAAAAlwSFlz
AAAN1wAADdcBQiibeAAAABl0RVh0U29mdHdhcmUAd3d3Lmlua3NjYXBlLm9yZ5vuPBoAAAATdEVY
dFRpdGxlAE9wdGljYWwgRHJpdmU+Z7oMAAABkUlEQVQ4jaWSvy9DURTHv6d9ty0tSgivkdBUkGgR
GotNxGoXjY21SJp0ag2CR8SE2oQ0Qiw2RPwDSASLkDL5EbwOlDZpj6mJ5z2/4puc5eZ7P/ec7z3E
zPiPJKPDjsF4q7u2cvj2XvVbhUjuTPd2HhIlAKCd2f0lwD+0KsuVZTGrTTTcPyRfhZBSP3VAzAz/
0KrsLHZsZbNZ8fzyFiemoxzlzg5i/Te/GsFTI08mru7CRpeUmckIwEEQkqHRsPszgIxCVJSJAaZc
H0BtPm9zmc/bnI2vrewTm+KhUHhZY2ZmTU0p4wu7e9tspN29bZ5Sxhc++k2fX2cg0N3VA1V91FV3
Vw8YCOgy0BxIkv3k9Bg+b4tutKvrBCRJsn8LAICK8gpcXJ4jlUpBTT5BCAEAcJaU6ryGALPZjAKb
DSYTwWIRyGTSSGfSsDscOq8uAwAoLMx3SWAA+X8ig63XAYgQXVyaR1FRMaqqXPC469BY3wSXXI2N
zXUQIarxG+3B7JwSYdYa8/CRYGjsR8BfZJjBX/QObiW573fRhdIAAAAASUVORK5CYII=
________EOF_file2.png_______________________________________
To be fair, Bearer Token is only one option for credentialing under Oauth2 (which also includes e.g. MAC, which is as good a authentication token as you could ask for).
And: Bearer Token is as good as the session cookies that are used in every app everywhere.
There's a valid criticism of OAuth2, and that's that there are lots of decisions that are left up to the Authorization server implementer, and they need to know what they're doing. And this is security: no one knows what they're doing well enough.
Absolutely; however, the example given was Instagram, though, who uses bearer tokens, which are at once the easiest and least secure option. Since people tend to take the path of least resistance, they also seem to be the most popular option by a wide margin.
I use and enjoy OAuth2, and I'm not trying to bag on it; you're absolutely right in that it's up to the server to do things Right (and few people do; the fact that nearly nobody uses the state parameter is evidence enough of that!). However, I do think it's ridiculously faulty to hold Instagram's bearer token authorization up as the "secure way" to do things in contrast to OAuth1.
I think that both OAuth and OAuth2 are plenty secure in most use cases. TLS provides Good Enough(tm) protection for the vast majority of bearer token transactions, and as you point out, there's always MAC if you don't trust the integrity of the transport. But I do think it's ignorant to claim that OAuth 1 is insecure because you can pull the secrets out of a client app, while somehow claiming that OAuth 2 is secure against such attacks.
Even more important: every abstraction is going to leak. Maybe the Flox CLI "looks" cleaner or whatever, but in the end you'll still need to learn Nix to use it effectively. Why learn twice as much stuff as you need?